Reference(s) :

Affected version(s) :

Tested on :

Description :

Missing sanitisation of untrusted input allows an authenticated user who is able to request X11 forwarding to inject commands to xauth.

Injection of xauth commands grants the ability to read arbitrary files under the authenticated user’s privilege, Other xauth commands allow limited information leakage, file overwrite, port probing and generally expose xauth, which was not written with a hostile user in mind, as an attack surface.

xauth is run under the user’s privilege, so this vulnerability offers no additional access to unrestricted accounts, but could circumvent key or account restrictions such as sshd_config ForceCommand, authorized_keys command=”…” or restricted shells.

Commands :

Create a shell (/bin/bash) user1:
- with ssh key or password authentication
- add a force commands in authorized_keys file, like command="whoami"
Normally only the command “whoami” will be executed when SSH authentication will be done
Create a non-shell (/bin/false) user2
User provided PoC python script and connect to the vulnerable host
python poc.py
For example: python poc.py 192.168.6.146 22 user1 test
“.readfile” command allow to read files on the system
“.writefile” command allow to write files on the system